Hello, DEF CON. Nice to meet you. Let me introduce myself. My name is Sergey Puzankov.
I work at Positive Technologies Company as a telecom security expert. A couple of words
about my experience. I have been working for telecom industry for more than 18 years. During
this period, I worked in telecom equipment vendor as a support engineer. I worked in
a huge multinational mobile operator as a quality engineer, and now my current position
is telecom security expert where I perform security research and perform penetration
tests or security assessments of mobile networks. All our findings we contribute to non-commercial
organizations such as ITS and ITM.
and GSMA and also we share this information at security conferences and now I'm going to share
my recent research with you the subject of this presentation is ss7 but what the ss7 is ss7 is a
control plane of protocols this is not one protocols but a set of protocols that is
primarily intended to set up and release telephony calls when mobile telephony appeared ss7 started
processing SMS messages subscriber mobilities and some other services
you
ss7 works between network elements only not on the user side the elementary portion of
the ss7 signaling calls message I will use this term throughout the presentation just
remember message is similar to a packet in IP networks nowadays ss7
is used in fixed telephony in mobile networks of 2G and 3G standards like GSMA and UMTS and for
interconnection with next generation networks like LTE and 5G in the future
there is an opinion that ss7 is an absolute
technology and tomorrow or the day after tomorrow all we will use only 4G and 5G mobile
devices but if we look at the official statistics from GSMA GSMA this is a session of all mobile
operators mobile operators of all standards we could see we are somewhere here now
we could see we are somewhere here now
we could see we are somewhere here now on at this point and the number of 2g and
on at this point and the number of 2g and
on at this point and the number of 2g and 3g users is about five billions so each of
3g users is about five billions so each of five billion subscribers could be a target
five billion subscribers could be a target
five billion subscribers could be a target of the ss7 hacker once the hacker got
of the ss7 hacker once the hacker got access to the ss7 they are able to
access to the ss7 they are able to
access to the ss7 they are able to intercept all subscribers died
intercept all subscribers died
data like SMS and voice calls they can receive confidential information
including information about subscriber location and I could perform those
attacks on single subscribers or the whole networks also these hackers are
able to take control over the digital identity including emails social
networks application messages like whatsapp telegram and so on and also
hackers in signal networks are able to steal money for example from balances of
subscribers or using some fraudulent activity against the operator at all
you
why ss7 is insecure to answer these questions we need to look at history of
ss7 development when ss7 has been developed it was the era of trusted
networks because there were only a few
Telephone operators who were connected to ss7 but later in early such an
administration was introduced it calls seek Trump this person
ED
network
...
...
SS7 was isolated network, but from this point SS7 stopped being isolated.
In 80s mobile operators got widespread, so there are a lot of subscribers, a lot of new
players in this market, a lot of traffic.
And nowardays trusted area is over because
more and more operators are connected to the SS7.
Mobile operators are aware of this problem and they protect their networks.
They use a lot of
neural networks to send news .
tools security tools such as SSN firewalls SMS home routing signaling ideas and also they can
configure equipment in comply with compliance of security and one one thing mobile operators
orders external penetration testing of their signal networks in order to understand how the
networks look like from external hacker hackers point of view so I will speak about mobile
networks and I need to describe some terms some identities and node elements of these networks
first identity is MSI is then identity with this loan abbreviation is just a telephone number
all we use the next term is GT or global title this is address of a core node element and the
global title has the structure similar to a message then similar to telephone numbers the
third identity is EMSI EMSI international mobile subscriber identity this is identifier of a SIM
and nodes STP signal transfer point this is a router of signal and traffic of signal messages
between core network elements HLR home location register this is a database of all home subscribers
of the operator this database contains information of subscriber profiles which contain information
subscriber identifiers EMSI and MSISDNS list of allowed and prohibited services and so on some
technical information the next element is MSC and VLR this node the performs two functions first of
them is MSC mobile switching Center this node is responsible for voice call routing and VLR are the
visit location register this is one more database the database contains information about active
subscribers who are under the coverage area of this note the alarms receives copies of subscriber
profiles from HLR and and reach them with some information of radio access part for example
cell identity and the last one the last node is SMS see or SMS Center this node is responsible
for SMS processing since the subscriber profile of the subscriber is registered with the same
is SSL I need to describe structure of this protocol I omit some low layers of
this as of this protocol stack because they're responsible for neighboring
communication the lowest layer protocol it is that is used on the international
communication is sccp or signal connection control part this layer is
responsible for the routing of signal messages it contains such information as
source address destination address and some payload that is tick up protocol
next protocol tick up transaction capabilities application part is
responsible for transactions and dialogues this
protocol
ties single requests and response in responses into one transaction or one
dialogue and the top layer protocol map mobile application part this protocol is
a payload of signal and message it contains operation itself and all the
parameters of each operation
signal networks signal transfer points signal network Cortland® is the
the Communal Minbooks has their own unique Hinds security tools they are signal
transfer point i have all dimension thesepelled as rotor of signal traffic but
But also, this node is able to block some illegitimate traffic.
SMS home routing.
This solution is intended to prevent SMS fraud and SMS spam and also hide IMSI identifiers.
And one more security tool is SSL firewall.
This is the most sophisticated tool that could protect signal networks against the most of signal attack.
Such as IMSI disclosure, location tracking, voice contraception and so on.
Some details about each of signal security tool.
Signal transfer point.
I have already mentioned twice.
This is router of signal messages.
This node is usually installed on the border of the network.
And this network element receives all the external signal traffic.
So, it is reasonable to bring in some security mechanisms into this network element.
But STP is able to block signal traffic only by some simple rules.
For example, block particular operation code.
Block some source of the traffic.
And maybe in some cases combinations of these.
So, you see simple rules.
The next protection tool is SMS home routing.
But before I explain how it works, I'd like to describe how SMS delivery process works in mobile networks.
We have SMS center that should deliver SMS to the subscriber.
Normally SMS center should be like this.
does not know where subscriber is located because all subscribers are mobile and this subscriber
could be anywhere around the world SMS Center first of all should request some routing information to
deliver this message it sends send routing info for SM signal message to the home network of
subscriber this single message comes to to the HL on to the database HLR always knows where
subscriber is located HL our replies with to data they are MC identity and address of the current
MSC after that SMS enter knows address where to deliver the right
And it does it. It delivers SMS to the appropriate MSC, and MSC after that delivers this SMS to the radio access system and finally to the subscriber.
When intruders appear in the SSL network, they are able to use this dialog to retrieve IMS identity and identity of the current MSC.
This is a confidential information that may be used for other sophisticated attacks.
To protect network, SMS router was introduced in the network as a new network element.
And now, when the border STP receives, send routing info for SM signal message.
It should deliver this message.
Not too late.
Not to the HLR, but to the SMS router.
SMS router generates some random IMSI, fake IMSI, and sends this in the response.
And also, it uses its own address instead of MSC's one.
After that, SMS comes to the SMS router.
SMS router correlates this fake IMSI with MSSDN number and initiates...
One new SMS delivery process inside the network.
It sends the same send routing info for SMS to the HLR internally in the home network.
HLR replies with correct data.
After that, SMS is delivered to the right MSC and addressing right subscriber.
Here we see two SMS delivery processes.
First one is external.
And the second one.
is fully internal and what what we see that no confidential information goes abroad only fake data
now if intruder appears in the ss7 network this intruder can send send routine info for sm
signal message this message is delivered to the sms router and sms router replies with fake data
so the network is protected and the third the third security tool ss7 firewall sm firewall
usually implemented not in line but in loop mode it looks like this when ss7 message comes to the
stp stp routes it to the ss7 firewall ss7 firewall has a lot of rules
uh smart rules to define if this signal message is illegitimate or not if the message is illegitimate
or malformed not malformed but hostile ss7 firewall just blocks it otherwise it sends it back
to the stp and stp delivers message into the network into the home network and it delivers to
the destination node
all the ss7 firewalls relies on jsma rules jsm actually has done the great great work they
classified all potentially hazard signal messages into three categories the first category contains
list of operations that may be used only for the ss7 firewalls
for internal signal and exchange if this traffic comes from external connections these signal
messages this all signal traffic should be blocked category 2 consists list of signaling messages
that should be related to inbound roamers for example i am an inbound roamer he in china i came
from russia i am an inbound roamer he in china i came from russia i am an inbound roamer he in china i came from russia
my russian operator can send some signaling traffic to chinese operator
and this signal traffic should be related on my identity if the same russian operator sends
the same signal traffic to the chinese operator that is related to chinese subscribers this
traffic is illegitimate and category three the list of operations
of category 3 is also available on the
of category 3 is also available on the
of category 3 is also available on the interconnection
interconnection
interconnection but category 3 is opposite to category
but category 3 is opposite to category 2.
all the operations from category 3 are
all the operations from category 3 are
all the operations from category 3 are related to
related to outbound subscribers for example
outbound subscribers for example
outbound subscribers for example um i am outbound subscribers
um i am outbound subscribers
um i am outbound subscribers outbound subscriber from
outbound subscriber from
outbound subscriber from my home network point of view and if
my home network point of view and if
my home network point of view and if i
i
perform some operations here Chinese operator sends some signal traffic to my home to Russian
operator and this traffic should be related to my subscriber identity if Chinese operator sends the
same signal traffic to the Russian operator that is related to other subscribers who are home this
traffic is illegitimate and now I will describe several attacks several vulnerabilities and to
make this story more interesting I'll imagine some intruder who will perform illegitimate
activity step by step receiving some information from the network and on each
turn on each step this intruder will use different vulnerability will exploit different vulnerabilities
of the mobile networks first what intruder needs this is MC identity and to receive this identifier
our intruder will use will exploit vulnerability of malformed application context name to
explain what the application contact is I need to explain some details about tcap protocol tcap protocol
consists of several fields the first one is tcap message type this is mandatory field the second
one is transaction identity 1 or 2 this is also mandatory field the next block not field but huge
block is a dialogue portion the next block not field but huge block is a dialogue portion the next block not field but huge block is a dialogue portion
this portion contains application context name application context name and defines the
operation that is coded on the upper layer on the map layer and map layer itself is is laid inside
the component portion two latest components dialogue portion a company portion are optional
parameters in tcap protocol let's look in some details of the application context name this is a
set of numbers each number has its own definition but in all the map operations first six numbers
set of numbers each number has its own definition but in all the map operations first six numbers
and let's see what happens if our intruder changes one of these content constant values to some value
and let's see what happens if our intruder changes one of these content constant values to some value
that is not supported that is out of range for example into the change zero that means ETSI as
identified the organization to number four that is unknown value for the
identified the organization to number four that is unknown value for the standard
that is out of range for example into the person lessERSEON sends sociiell-конcake
ssense pane blind two good person des a sssone and sends centered out person sssone and sends send
rootin info for same signaling message with more form querer application context
this single message comes to the stp and stp starts inspecting these mission error by
player and here STP faces with malformed application context STP considers that
all the message is also malformed and what the decision of course pass this
message into the network the destination node is known this is HLR STP does not
look inside does not inspect other protocols that is map and on the map
protocol STP could find operation code send root info for SAM that means message
should be routed not to the HLR but to the SMS router to implement SMS home
routing procedure STP sends this message to the HLR it considers destination
node should decide if
this message malformed or not this destination node should decide should it
reply on this message with error or with normal signal message and what happens
HLR ignores malformed application context and replies with correct data
with correct IMSI and correct MSC address but this is not all in this attack
normally
HLR doesn't know this data is correct or not because if SMS home routing
procedure is implemented HLR receives the same structure of data to be
sure that the SMS home routing is bypassed HLR needs to send the same
absolutely the same signal of request and compare IMSI identity in the next optimizercomfry multiple attempt
response if SMS home wrote and procedure works intruder receives two different
random MC in two responses but if intruder sees equal MCS that means SMS
home home wrote and solution is bypassed so now our intruder receives some
technical some confidential technical data about target subscriber but this is
not valuable for our intruder and they want to find where this subscriber is
located and now intruder will perform
one more attack location tracking and will exploit another vulnerability that
is substitution of operation code tech but before I explain attack mechanic I
need to describe some technical information about signal networks I have
mentioned mentioned that MSSDN and global titles have the same structure
I
they consist of a group of digits the first group defines country this is a
country code in this case this is China the second group defines mobile or fix it
operator this is network destination code I took these digits eight five four
randomly so I don't know if there is operator with this code in China and
the third group of digits defines subscriber or a node if this is a globe to
global title the next identity type is MCM you see is also consists also consists
of three groups of digits the first group defines mobile country this is
mobile country code the second group defines network or mobile network code
and the third group of digits defines particular subscriber pay your attention
these codes might belong to the same operator and if we speak about
correlation of operator or comparison of operator we do not compare digits of
global title and MC digit by digit but first we need to define operator by
global title prefix and operator by into predict after that to do the
compression how it works in SSN firewalls in this example as a firewall
receives some single message this is provide subscriber info and it inspects
its layer by layer it defines
defines operation. Provide subscriber info belongs to the category 2 regarding GMA classification.
That means that SN firewall needs to define source operator from this part, from the sccp
layer and target subscriber operator from the map layer. What we see? Source operator
somewhere in Switzerland, this is a Swiss operator and subscriber is from
China, from Chinese operator. These two operators are not equal, so the decision
is block this incoming message. Let's look in some details more. This is
IT
recommendation that describes tick up protocol and here we see interesting thing tick up operation
code tag might be local or global value and they have different values 2 & 6 normally in all the
map messages is used local operation code for both local signal traffic and the international
signal traffic on the traffic dump it looks like this o2 this is local operation to take
then o1 this is the length of the code itself of the operation code and for six this is hex
decimal
code of this operation of the provide subscriber info request let's see what happens if our
intruder substitute tag of the operation code into the sense provide subscriber info signal
message but they use they use o6 instead of or two instead of normal value what cannot
cannot encode this message at all and what happens then STP sends this message to the
SSN firewall but as a second firewall expect only local values and it ignores all global
all the global values of the SSN firewall and it ignores all global all the global values of the
values it sends this message to the STP and STP delivers it to the destination
node that is MSC and VLR and one more surprise MSC and VLR replies with normal
message and it codes operation with normal with local operation operation
code tag here in this message we can see identity of the sale that process target
subscriber so the location tracking attack is done a 7 firewall bypassed
during this research we sent this kind of malicious traffic on equipment of
four different vendors and all nodes replied with normal requests normal
responses sorry that were coded in local operation code tags so our intruder knows
location of the target subscriber but it's enough not all intruder wants to
intercept voice call
or a lot of voice calls of this subscriber and now intruder will use will
exploit one more vulnerability that that is connected with double map or double
component encoding first of all let's look how classical voice call or man in
the middle attack works in mobile networks in signal networks that are not
protected
first of all intruder sends insert subscriber data this signal message
contains EMC and some information that is intended to change billing system of
this subscriber in the profile this one this message is delivered to the MSC and
VLR this node sends okay an IP address is in the message of the target subscriber and this node sends insert subscriber data this
profile is updated after that intruder just finalizes the transaction and now
intruder should wait for subscriber to call when this target subscriber who is
read on the picture when subscriber calls information comes to the MSC and
MSC should perform billing process it sends initial DP signal and message to
the billing platform to this spoof to the fake billing platform that is under
the hackers control after that hacker is able to send connect message with
private branch exchange number and this is direction to redirect to forward call
to this number to this new number MSC just redirect this call to the PBX after
that it sends a message to the konsumer which is your business address and I also
that hacker is able to initiate one more new call to the target operator and use
this number information because initial DP signal the message contains
information about a and B subscriber about calling and cold subscribers in
this case of intruder just make a call to correct be subscriber and spoofs
address of a subscriber this call comes to the operator two subscribers are able
to communicate each other but all the voice traffic goes through the subscriber
hackers controlled equipment SSL firewalls of course is able to block
this attack
insert subscriber data signal the message from the hacker comes to the
network STP sends this signal message to the SM firewall and SSN firewall starts
inspecting this message it finds that the operation code is insert subscriber
data this operation code belongs to category 2 that means SM firewall should
compare source and target subscriber
operators of source and target subscriber and we know switzerland is
not China so this message should be blocked attack is impossible one more
interesting thing about teacup protocol when I was speaking about this protocol
I mentioned a component portion and I said this component portion includes
much more than one component portion and I said this component portion includes much more than one component portion and I said this component portion includes much
much more than one component portion and I said this component portion and I said this component portion and I said this component跟
map operation itself but standard suggested suggests
that it could be more than one component
within one teacup teacup primitive each component should have its own operation
and
they might might to have different subscriber identities when SSL Firewalls
face
with this kind of signal messages this is a really unexpected message as some
firewalls usually inspects only first part for first component and it
considers that the second component this is just a long tail of the first
component it does not look at this let's look how intruder can use this
feature of the signal protocol intruder sends signal message that contains two
operations in two components first one is insert subscribe insert subscriber
data and the second one is delete subscriber
data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
subscriber data and the second one is delete subscriber data and the second one is delete
From the point of view, this combination, simultaneously insert and delete, this is something wrong and unknown.
This is impossible combination.
That's why MSC sends some errorless message, return error.
It looks normal from the first point of view,
but this signal message with error goes into cap continue signal message.
That means that MSC says something like this,
I don't understand you, please repeat your request within the same transaction.
And intruder does.
Intruder sends one more signal message within this transaction
that consists of two errors.
Again, of two components.
Both of them are insert subscriber data operations.
The first component is without subscriber identity,
and the second one contains identity of the target subscriber.
SN firewall again inspects only the first component.
It sees that the first component is absolutely normal
and pass this message to the network.
Now MSC has two insert subscriber data requests within one tickup message.
MSC sends OK for the first component and OK for the second one.
So the subscriber profile is updated.
After that, intruder finalizes the transaction.
And now they are waiting for a call.
Subscriber, target subscriber calls.
MSC sends initial DP signal message to the intruder's equipment.
Intruder replies with connect to the PBX.
Call goes to the hacker's PBX.
After that, hacker redirects one more.
This call to the B subscriber.
Subscribers are able to talk to each other,
but all the traffic goes through the
hacker's PBX.
And this attack is successful,
and the S7 firewall is bypassed.
And what I can say as a conclusion.
Really, the stack of S7 protocols has some problems.
First of them is architectural flaws.
The second one,
operators usually make a lot of mistakes in the configuration.
First of all, in SDP configuration.
Some of described attacks could be impossible
if SDP configuration is correct.
And of course, now we see a lot of software bugs of telecom equipment.
For example, at the last case,
we saw that MSC said,
I don't understand, please continue,
repeat your request.
But insert and simultaneous delete should be rejected at all.
Just on the first request.
Message to mobile operators.
Please check your security tools
as soon as new vulnerability is reported.
You also should use intrusion detection systems
together with S7 firewalls.
Because some of attacks could not be blocked on the S7 firewalls,
but IDS are able to detect them.
Block almost all double map messages.
During our research and during our monitoring of signaling,
we saw only one legal pair with double map components.
This is begin subscriber activity and process unstructured data.
And of course,
configure SDP and firewalls carefully.
And don't forget about application context names,
malformed application context names,
and operation codes, locals, and global.
Thank you for your attention.
Please, questions.
Thank you.
